Closed Bug 1792450 Opened 2 years ago Closed 2 years ago

OpenPGP personal keys are lost because Thunderbird Daily replaced file encrypted-openpgp-passphrase.txt (returned unexpected: 301989892, RNP_ERROR_BAD_PASSWORD)

Categories

(Thunderbird :: Message Compose Window, defect, P1)

Product:
Thunderbird
Component:
Message Compose Window
Type:
defect

Tracking

(thunderbird_esr102 unaffected, thunderbird106 unaffected)

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
thunderbird_esr102 --- unaffected
thunderbird106 --- unaffected

People

(Reporter: aleca, Assigned: KaiE)

References

(Regression)

Details

(Keywords: dataloss, regression, Whiteboard: [fixed by backout])

Attachments

(1 obsolete file)

I'm not sure when it started and how, but the subject and body of draft messages is not saved. Currently happening on trunk/daily.

STR:

  • Compose a new message
  • Write something in the body and the subject
  • Save as draft
  • Close the compose window
  • Go to drafts and double click on the recently saved message

RESULT:
The message is blank.

Another issue, not sure if related:
If I try to open that draft from another machine, I get the "unable to decrypt" error.
I have OpenPGP configured in the original machine but I didn't encrypt the message before saving it, and I have "Disable encryption for new messages" option checked.

Marking this as P1 and S1 since it's pretty nasty.
102 is not affected if the message is saved from there.

tracking-firefox106: ? → ---
tracking-firefox107: ? → ---

We always encrypt draft messages, as soon as you have OpenPGP configured, as a precaution.

If you have OpenPGP configured, you were in possession of the private key at the time of confguring. We're using the public key for encryption.

If you're opening a saved draft message, the private key should still be available and should be usable for decryption.

If you don't have the private key on another computer, it's expected that you cannot decrypt the message.

(In reply to Kai Engert (:KaiE:) from comment #1)

We always encrypt draft messages, as soon as you have OpenPGP configured, as a precaution.
If you have OpenPGP configured, you were in possession of the private key at the time of confguring. We're using the public key for encryption.
If you're opening a saved draft message, the private key should still be available and should be usable for decryption.

That's the problem. The message is not descrypted when opening from draft on the same machine on the same TB installation with the same OpenPGP key configuration.

I guess our draft tests didn't catch this because we don't test that with OpenPGP enabled.
We definitely should.

(In reply to Alessandro Castellani [:aleca] from comment #3)

I guess our draft tests didn't catch this because we don't test that with OpenPGP enabled.

You would not catch that unless you restart and try to use the files from a different session

This regression was caused by bug 1790610

Depends on: 1790610
Summary: Save as draft doesn't save the subject or the content of the message → Save as draft doesn't save the subject or the content of the message (OpenPGP personal keys are lost)

Notice for users who are affected by this bug:

If you have started a Thunderbird Daily version between 2022-09-22 and 2022-09-26, and you have OpenPGP secret keys in your Thunderbird profile, those OpenPGP secret keys are lost.

The reason is that a fresh file encrypted-openpgp-passphrase.txt was replaced.

The previous file encrypted-openpgp-passphrase.txt was necessary to decrypt the contents of file secring.gpg

If you have a backup of the files from your profile, you can attempt to restore a previous version of file encrypted-openpgp-passphrase.txt

(In reply to Kai Engert (:KaiE:) from comment #4)

(In reply to Alessandro Castellani [:aleca] from comment #3)

I guess our draft tests didn't catch this because we don't test that with OpenPGP enabled.

You would not catch that unless you restart and try to use the files from a different session

Mh, I don't think so.
The problem happens immediately after closing the compose and opening the saved draft, in the same session without closing Thunderbird. So this scenario can be tested.

No longer depends on: 1790610
Keywords: regressionwindow-wanted
Regressed by: 1790610

(In reply to Alessandro Castellani [:aleca] from comment #7)

The problem happens immediately after closing the compose and opening the saved draft, in the same session without closing Thunderbird. So this scenario can be tested.

The problem happened earlier. The corruption was created at startup.

At the time you're composing the message, you already had the corruption. Your private key was already gone. You simply didn't notice yet, because for encryption only the public key was necessary (and the public key is still available).

Not before you attempted to edit the draft you needed the private key for decryption.

Fixed by backout: https://hg.mozilla.org/comm-central/rev/cc3f06995948

status-thunderbird106: --- → unaffected
Whiteboard: [fixed by backout]
Target Milestone: --- → 107 Branch
Summary: Save as draft doesn't save the subject or the content of the message (OpenPGP personal keys are lost) → OpenPGP personal keys are lost because Thunderbird Daily replaced file encrypted-openpgp-passphrase.txt
Assignee: nobody → kaie
Status: NEW → ASSIGNED

Users of Thunderbird, who are affected by this bug, lost access to their OpenPGP secret keys.

Because only users of daily are affected, and hopefully very few, I suggest that we do NOT automatically repair.
It would be difficult anyway.
I don't think we should generally automatically move away the file with secret keys, that seems dangerous.

However, I would like to enable affected users to notice the problem.

Currently, users will experience broken OpenPGP functionality, and exceptions, with no indication why it's failing.

The attached patch will inform users when this scenario is experienced.
If we are unable to access a stored OpenPGP secret key, because our automatic password doesn't work, the patch shows an alert message that explains the situation, and asks users to manually clean up.

This patch can be useful in general. If some experienced users attempt to directly modify the secring.gpg file found in the Thunderbird profile directory (which they shouldn't do), they could cause the same kind of problem.

(In reply to Magnus Melin [:mkmelin] from comment #9)

Fixed by backout: https://hg.mozilla.org/comm-central/rev/cc3f06995948

This fix ensures that we don't damage additional profiles.
It doesn't repair the damage that was already created unfortunately.

Attachment #9296518 - Attachment is obsolete: true

Based on discussions in chat, we decided to not implement automatic repairing or information for users who are affected by this issue - because only users of Daily are affected, and it's a common risk of running the experimental Daily software, and therefore it seems acceptable to require manual repairing, and it seems also acceptable that users of Daily are able to reset their Thunderbird profile in case of problems. A message explaining the situation has been posted to the Thunderbird Daily mailing list:
https://thunderbird.topicbox.com/groups/daily/Tbf35bdb3aa11f6b3/daily-versions-2022-09-22-to-20-09-25-corrupted-openpgp-secret-key-storage

(In reply to Magnus Melin [:mkmelin] from comment #9)

Fixed by backout: https://hg.mozilla.org/comm-central/rev/cc3f06995948

Resolving fixed.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Summary: OpenPGP personal keys are lost because Thunderbird Daily replaced file encrypted-openpgp-passphrase.txt → OpenPGP personal keys are lost because Thunderbird Daily replaced file encrypted-openpgp-passphrase.txt (returned unexpected: 301989892, RNP_ERROR_BAD_PASSWORD)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: